Note: Late submission will be assigned a mark of zero
Wireshark is a protocol analyzer for collecting network traffic data and statistics. Download and install the Wireshark protocol analyzer from www.wireshark.org. Unless you signed an Acceptable Use Policy (AUP) document that disallows this, capture traffic from your live business or school network. (If you have signed an AUP that disallows capturing network traffic, capture from your home network instead.) Answer the following questions.
Part A:
1. In Wireshark, go to Statistics > Summary. What is the Average Mbps?
Avg. Mbit/sec = 0.082
2. Go to Statistics > Protocol Hierarchy. Which protocols use most of the bandwidth?
3. Go to Statistics > Packet Lengths > Create Stat.
What percentage of packets are less than 80 bytes? 33.77%
What percentage of packets are 80–1279 bytes? 18.61%
What percentage of packets are larger than 1279 bytes? 47.62%
Print screen to show the above values.
[pic]
4. Capture network traffic while accessing your favourite website with your web browser. In Wireshark, go to Statistics > HTTP > Packet Counter >Create Stat.
How many Response Packets did you capture? 75
What types of Response Packets and how many of each type did you capture?
Part B:
Start the Wireshark application again and capture packets from your computer. Using a web browser, navigate to http://www.yahoo.com.. Also, find the reply.
Describe in detail the DNS data in both the query and the reply. Note, if you can’t find the query and reply, you may need to clear your DNS cache.
The query had a UDP with the destination port of 52 and a size of 29. It had 1 question for Class A on the URL www.yahoo.com
The response was also a UDP with a source port of 52 and size of 166. It provided 5 DNS response answers to the query, which were: fd-fp3.wg1.b.yahoo.com, ds-fp3.wg1.b.yahoo.com, ds-any-fp3-lfb.wa1.b.yahoo.com and ds-any-fp3-real.wa1.b.yahoo.com
Part C:
• Open Wireshark and enter “ip.addr == your_IP_address” into the filter, where you obtain your_IP_address with ipconfig. This filter removes all packets that neither originate nor are destined to your host.
• Start packet capture in Wireshark.
• With your browser, visit the Web page: http://www.ietf.org
• Stop packet capture.
Answer the following questions:
1. Locate the DNS query and response messages. Are then sent over UDP or TCP?
They are sent over UDP.
2. What is the destination port for the DNS query message? What is the source port of DNS response message?
Both the DNS quesry and the DNS response, destination and source port respectively we domain (53).
3. To what IP address is the DNS query message sent? Use ipconfig to determine the IP address of your local DNS server. Are these two IP addresses the same?
Both the IP address were the same. 141.117.199.86
3. Examine the DNS query message. What “Type” of DNS query is it? Does the query message contain any “answers”?
The query does not provide any answers. The query is a TYPE A.
4. Examine the DNS response message. How many “answers” are provided? What do each of these answers contain?
In this case there is 1 answer in the response message. This answer contains it’s lifetime, data size, address and type.
5. Consider the subsequent TCP SYN packet sent by your host. Does the destination IP address of the SYN packet correspond to any of the IP addresses provided in the DNS response message?
In this case they do correspond.
6. This web page contains images. Before retrieving each image, does your host issue new DNS queries?
In this case the host does not issue new DNS queries when retrieving images.
Part D: DNS
Now let’s consider nslookup command.
• Start packet capture.
• Do an nslookup on www.mit.edu
• Stop packet capture.
You should get a trace that looks something like the following:
[pic]
We see from the above screenshot that nslookup actually sent three DNS queries and received three DNS responses. For the purpose of this assignment, in answering the following questions, ignore the first two sets of queries/responses, as they are specific to nslookup and are not normally generated by standard Internet applications. You should instead focus on the last query and response messages.
1. What is the destination port for the DNS query message? What is the source port of DNS response message?
Domain (53) is the destination and source port respectively as it was before.
2. To what IP address is the DNS query message sent? Is this the IP address of your default local DNS server?
Once again the address is the same 141.117.199.86.
3. Examine the DNS query message. What “Type” of DNS query is it? Does the query message contain any “answers”?
The query does not provide any answers. The query is a TYPE A.
4. Examine the DNS response message. How many “answers” are provided? What do each of these answers contain?
In this case there is 1 answer in the response message. This answer contains it’s lifetime, data size, address and type
5. Provide a screenshot here.
Now repeat the previous experiment, but instead issue the command prompt:
At the command prompt type in: nslookup –type=NS mit.edu
Answer the following questions:
6. To what IP address is the DNS query message sent? Is this the IP address of your default local DNS server?
This has not changed, it is still the same 141.117.199.86
7. Examine the DNS query message. What “Type” of DNS query is it? Does the query message contain any “answers”?
The query does not provide any answers. The query is a TYPE NS.
8. Examine the DNS response message. What MIT nameservers does the response message provide? Does this response message also provide the IP addresses of the MIT namesers?
No IP address is provided but the following MIT servers show respons messages
W20NS.mit.edu, STRAWB.mit.edu and BITSY.mit.edu
9. Provide a screenshot.
Now repeat the previous experiment, but instead issue the command: nslookup www.aiit.or.kr bitsy.mit.edu
Answer the following questions4:
10. To what IP address is the DNS query message sent? Is this the IP address of your default local DNS server? If not, what does the IP address correspond to?
In this case the IP addresses differ. The address not provided is 18.72.0.3 which is the same as mit.edu.
11. Examine the DNS query message. What “Type” of DNS query is it? Does the query message contain any “answers”?
In this case no answers are provided in the query. This is of TYPE A.
12. Examine the DNS response message. How many “answers” are provided? What does each of these answers contain?
In this case there is no answers provided.
13. Provide a screenshot.
Part E: SSL
In this part, we’ll investigate the Secure Sockets Layer (SSL) protocol, focusing on the
SSL records sent over a TCP connection. We’ll do so by analyzing a trace of the SSL records sent between your host and an e-commerce server. We’ll investigate the various
SSL record types as well as the fields in the SSL messages.
[pic]
1. Capturing packets in an SSL session
The first step is to capture the packets in an SSL session. To do this, you should go to your favorite e-commerce site and begin the process of purchasing an item (but terminating before making the actual purpose!). After capturing the packets with Wireshark, you should set the filter so that it displays only the Ethernet frames that contain SSL records sent from and received by your host. (An SSL record is the same thing as an SSL message.) You should obtain something like screenshot on the previous page.
2. A look at the captured trace
Your Wireshark GUI should be displaying only the Ethernet frames that have SSL records. It is important to keep in mind that an Ethernet frame may contain one or more SSL records. (This is very different from HTTP, for which each frame contains either one complete HTTP message or a portion of a HTTP message.) Also, an SSL record may not completely fit into an Ethernet frame, in which case multiple frames will be needed to carry the record.
1. For each of the first 8 Ethernet frames, specify the source of the frame (client or server), determine the number of SSL records that are included in the frame, and list the SSL record types that are included in the frame. Draw a timing diagram between client and server, with one arrow for each SSL record.
|# of records |Record Type |
|1 |Client Hello |
|3 |Server Hello, CipherSpec, Encrypted Handhsake Message |
|2 |Change CyperSpec, Encrypted Handshake Message |
|1 |Application Data Protocol |
|1 |Application Data Protocol |
|1 |Application Data Protocol |
|1 |Application Data Protocol |
2. Each of the SSL records begins with the same three fields (with possibly different values). One of these fields is “content type” and has length of one byte. List all three fields and their lengths.
Content Type = 1 bytes
Version = 2 bytes
Length = 2 bytes
ClientHello Record:
3. Expand the ClientHello record. (If your trace contains multiple ClientHello records, expand the frame that contains the first one.) What is the value of the content type?
The value of the content type in the first Client Hello, which is also the first record is 22.
4. Does the ClientHello record contain a nonce (also known as a “challenge”)? If so, what is the value of the challenge in hexadecimal notation?
In this case it says “Challenge: Not Set”
5. Does the ClientHello record advertise the cyber suites it supports? If so, in the first listed suite, what are the public-key algorithm, the symmetric-key algorithm, and the hash algorithm?
PAK= TLS_RSA
SKA=AES 256
HA= SHA
ServerHello Record:
6. Locate the ServerHello SSL record. Does this record specify a chosen cipher suite? What are the algorithms in the chosen cipher suite?
[pic]
As seen in this screenshot is is the same as in question 5.
7. Does this record include a nonce? If so, how long is it? What is the purpose of the client and server nonces in SSL?
As seen before the challenge is not set. The serveer challenge in SSL is used to prevent replay attacks.
8. Does this record include a session ID? What is the purpose of the session ID?
A session ID is provided in the record in order to keep track of communication messages during the interaction.
9. Does this record contain a certificate, or is the certificate included in a separate record. Does the certificate fit into a single Ethernet frame?
The certificate is provided separately in the form of three Ethernet frames due to it’s size.
Client Key Exchange Record:
10. Locate the client key exchange record. Does this record contain a pre-master secret? What is this secret used for? Is the secret encrypted? If so, how? How long is the encrypted secret?
The pre-master secret is included and is encyrpted and is used to create indetical encytions on both client and server deviceds. In this case it is 128 bits.
Change Cipher Spec Record (sent by client) and Encrypted Handshake Record:
11. What is the purpose of the Change Cipher Spec record? How many bytes is the record in your trace?
The change Cipher Spec is the process of converting the pre-master to the master secret.
12. In the encrypted handshake record, what is being encrypted? How?
During the handshake record the final handshake is being encrypted, this is done by using the hashing algorithm.
13. Does the server also send a change cipher record and an encrypted handshake record to the client? How are those records different from those sent by the client?
The encrypted handshake message is was differs between the two records, which is also created by the server.
Application Data:
14. How is the application data being encrypted? Do the records containing application data include a MAC? Does Wireshark distinguish between the encrypted application data and the MAC?
Wireshark is unable to tell the difference because the application information is being encrypted by the MAC algorithm.
